Configuring RHEL servers to authenticate with Windows Server 2008Active Directory

Kenneth Holter kenneho.ndu at gmail.com
Tue Apr 20 06:50:36 UTC 2010


This is my understanding too, but I'm hoping there is a workaround to this.
Seems like login to RHEL-servers don't work when the user is expected to
change their passwords (either because the password has expired, or when one
checks the "User must change password on next logon" in AD).

- Kenneth

On Mon, Apr 19, 2010 at 3:09 PM, Mike Burger <mburger at bubbanfriends.org>wrote:

> My understanding is that they need to change it from the AD/Windows side.
>
> > Hi all.
> >
> >
> > I've got my RHEL-server to autenticate against Active Directory, and
> > things
> > are looking good. I have one small issue maybe someone here know how to
> > fix:
> > When a users password expires the user must be able to change it. Nomally
> > a
> > users would be allowed to log in based on the current password, be she
> > would
> > be promted for a new password following the login. In the current setup
> > where my linux servers autheticate against AD, the users whose password
> > have
> > expired are simply locked out from the server. Is there a way to tune
> > linux
> > to allow login, but have the users change password on login?
> >
> >
> > - Kenneth
> >
> >
> > On Wed, Jan 27, 2010 at 2:39 PM, s u p e r n a u t
> > <supernaut at gmx.com>wrote:
> >
> >> I've used this in the past to good effect with RHEL5.3 and W2K3.  I'm
> >> sure
> >> you'll have to make adjustments with W2K8, but it may be a good starting
> >> point.
> >>
> >>
> >>
> http://www.interopsystems.com/downloads/Native_LDAP_native_Kerberos_and_AD_services.pdf
> >>
> >>
> >>
> >> ----- Original Message ----- From: "Kenneth Holter"
> >> <kenneho.ndu at gmail.com
> >> >
> >> To: "General Red Hat Linux discussion list" <redhat-list at redhat.com>
> >> Sent: Wednesday, January 27, 2010 7:58 AM
> >> Subject: Re: Configuring RHEL servers to authenticate with Windows
> >> Server
> >> 2008Active Directory
> >>
> >>
> >>  Thanks for your reply.
> >>>
> >>> I would like the account and group information to be maintained in AD.
> >>> Possibly later on we'll implement kerberos too.
> >>>
> >>>
> >>> - Kenneth
> >>>
> >>> On Tue, Jan 26, 2010 at 5:32 PM, Marti, Robert <RJM002 at shsu.edu>
> wrote:
> >>>
> >>>  If you just care about authentication and not accounts, I'd set up
> >>>> kerberos
> >>>> auth - much easier.  I have no experience setting up LDAP auth, sorry.
> >>>>
> >>>> Rob Marti
> >>>> ________________________________________
> >>>> From: redhat-list-bounces at redhat.com [redhat-list-bounces at redhat.com]
> >>>> On
> >>>> Behalf Of Kenneth Holter [kenneho.ndu at gmail.com]
> >>>> Sent: Tuesday, January 26, 2010 10:17
> >>>> To: redhat-list at redhat.com
> >>>> Subject: Configuring RHEL servers to authenticate with Windows Server
> >>>> 2008
> >>>>     Active Directory
> >>>>
> >>>> Hello all.
> >>>>
> >>>>
> >>>> I'd like to set my RHEL 4 and 5 servers up to authenticate with our
> >>>> Windows
> >>>> server 2008 Active Directory. Using "authconfig --update --enableldap
> >>>> --enableldapauth
> >>>> --ldapserver=ldap.example.com--ldapbasedn=dn=example,dn=com"
> >>>> and adding "binddn" and "bindpw" to the /etc/ldap.conf file, it looks
> >>>> like
> >>>> the linux box is connecting correctly to the AD server. But running
> >>>> "getent
> >>>> passwd <some-linux-user-defined-on-AD>" doesn't return any result.
> >>>>
> >>>> I'm suspecting that maybe it's my nss_ldap attribute mappings that are
> >>>> not
> >>>> correct. I have no attribute mapping defined, since I would think that
> >>>> there
> >>>> would be some default mappings that would work. Are there any default
> >>>> mapping, and in case what are they? Or maybe "authconfig" set up these
> >>>> mappings automatically? Any advice is appreciated.
> >>>>
> >>>> Best regards,
> >>>> Kenneth Holter
> >>>> --
> >>>> redhat-list mailing list
> >>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> >>>> https://www.redhat.com/mailman/listinfo/redhat-list
> >>>>
> >>>> --
> >>>> redhat-list mailing list
> >>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> >>>> https://www.redhat.com/mailman/listinfo/redhat-list
> >>>>
> >>>>  --
> >>> redhat-list mailing list
> >>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> >>> https://www.redhat.com/mailman/listinfo/redhat-list
> >>>
> >>>
> >>
> >> --
> >> redhat-list mailing list
> >> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> >> https://www.redhat.com/mailman/listinfo/redhat-list
> >>
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
>
>
> --
> Mike Burger
> http://www.bubbanfriends.org
>
> Visit the Dog Pound II BBS
> telnet://dogpound2.citadel.org or http://dogpound2.citadel.org
>
> To be notified of updates to the web site, visit:
>
> https://www.bubbanfriends.org/mailman/listinfo/site-update
>
> or send a blank email message to:
>
> site-update-subscribe at bubbanfriends.org
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>



More information about the redhat-list mailing list